diff --git a/manifests/auth-proxy/auth-ingress.yaml b/manifests/auth-proxy/auth-ingress.yaml index 12af45d..dfc6c02 100644 --- a/manifests/auth-proxy/auth-ingress.yaml +++ b/manifests/auth-proxy/auth-ingress.yaml @@ -1,32 +1,5 @@ apiVersion: networking.k8s.io/v1 kind: Ingress -metadata: - name: auth-proxy-v2 - namespace: auth-proxy - annotations: - cert-manager.io/cluster-issuer: letsencrypt - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" -spec: - ingressClassName: nginx - tls: - - hosts: - - hello.cluster.fun - secretName: non-auth-proxy-ingress-v2 - rules: - - host: hello.cluster.fun - http: - paths: - - path: / - pathType: ImplementationSpecific - backend: - service: - name: tailscale-proxy - port: - name: auth - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress metadata: name: auth-proxy namespace: auth-proxy @@ -62,9 +35,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: argo.cluster.fun http: paths: @@ -72,9 +45,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: code.cluster.fun http: paths: @@ -82,9 +55,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: jackett.cluster.fun http: paths: @@ -92,9 +65,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: printer.cluster.fun http: paths: @@ -102,9 +75,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: ender3pro.printer.cluster.fun http: paths: @@ -112,9 +85,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: flsunq5.printer.cluster.fun http: paths: @@ -122,9 +95,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: elegoomars2.printer.cluster.fun http: paths: @@ -132,9 +105,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: radarr.cluster.fun http: paths: @@ -142,9 +115,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: readarr.cluster.fun http: paths: @@ -152,9 +125,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: sonarr.cluster.fun http: paths: @@ -162,9 +135,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: lidarr.cluster.fun http: paths: @@ -172,9 +145,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: prowlarr.cluster.fun http: paths: @@ -182,9 +155,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: transmission.cluster.fun http: paths: @@ -192,9 +165,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: tekton.cluster.fun http: paths: @@ -202,9 +175,9 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth - host: changedetection.cluster.fun http: paths: @@ -212,6 +185,6 @@ spec: pathType: ImplementationSpecific backend: service: - name: auth-proxy + name: tailscale-proxy port: - name: http + name: auth diff --git a/manifests/auth-proxy/auth-proxy.yaml b/manifests/auth-proxy/auth-proxy.yaml deleted file mode 100644 index a69f39c..0000000 --- a/manifests/auth-proxy/auth-proxy.yaml +++ /dev/null @@ -1,179 +0,0 @@ - -apiVersion: v1 -kind: Secret -metadata: - name: tailscale-auth-proxy -type: Opaque ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tailscale-auth-proxy - labels: - app.kubernetes.io/name: tailscale ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tailscale-auth-proxy - labels: - app.kubernetes.io/name: tailscale -subjects: -- kind: ServiceAccount - name: "tailscale-auth-proxy" -roleRef: - kind: Role - name: tailscale-auth-proxy - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: tailscale-auth-proxy - labels: - app.kubernetes.io/name: tailscale -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] -- apiGroups: [""] - resourceNames: ["tailscale-auth-proxy"] - resources: ["secrets"] - verbs: ["get", "update"] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: auth-proxy - namespace: auth-proxy - labels: - app: auth-proxy - annotations: - secret.reloader.stakater.com/reload: "tailscale-auth" -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: auth-proxy - template: - metadata: - labels: - app: auth-proxy - spec: - serviceAccountName: tailscale-auth-proxy - dnsPolicy: ClusterFirst - dnsConfig: - nameservers: - - 100.100.100.100 - initContainers: - - name: sysctler - image: busybox - securityContext: - privileged: true - command: ["/bin/sh"] - args: - - -c - - | - sysctl -w net.ipv4.ip_forward=1 - sysctl -w net.ipv6.conf.all.forwarding=1 - sysctl -w net.ipv6.conf.all.disable_ipv6=0 - resources: - requests: - cpu: 1m - memory: 1Mi - containers: - - name: oauth-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 - args: - - --cookie-secure=false - - --provider=oidc - - --provider-display-name=Auth0 - - --upstream=http://talos.averagemarcus.github.beta.tailscale.net - - --http-address=0.0.0.0:8080 - - --email-domain=* - - --pass-basic-auth=false - - --pass-access-token=false - - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT - - --cookie-expire=336h0m0s - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - key: username - name: auth-proxy - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: password - name: auth-proxy - ports: - - containerPort: 8080 - protocol: TCP - resources: - limits: - memory: 50Mi - requests: - memory: 50Mi - - name: tailscale - image: ghcr.io/tailscale/tailscale:v1.62 - imagePullPolicy: Always - env: - - name: TS_AUTH_KEY - valueFrom: - secretKeyRef: - name: tailscale-auth - key: password - - name: TS_KUBE_SECRET - value: tailscale-auth-proxy - - name: TS_ACCEPT_DNS - value: "true" - - name: TS_EXTRA_ARGS - value: "--hostname=auth-proxy-oauth2" - securityContext: - capabilities: - add: - - NET_ADMIN - command: - - sh - - -c - - | - export PATH=$PATH:/tailscale/bin - if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi - if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi - echo "Starting tailscaled" - tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock & - PID=$! - echo "Running tailscale up" - tailscale --socket=/tmp/tailscaled.sock up \ - --accept-dns=${TS_ACCEPT_DNS} \ - --authkey=${TS_AUTH_KEY} \ - ${TS_EXTRA_ARGS} - echo "Re-enabling incoming traffic from the cluster" - wait ${PID} ---- -apiVersion: v1 -kind: Service -metadata: - name: auth-proxy - namespace: auth-proxy - labels: - app: auth-proxy -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: auth-proxy - type: ClusterIP - ----